From 78ab1da232f31f695f5c362d863593a143aa8b56 Mon Sep 17 00:00:00 2001 From: Alok Menghrajani Date: Thu, 22 Jan 2015 09:55:37 -0800 Subject: [PATCH] Ensure verifySignature does not leak useful timing information This avoids easy timing attacks against signature verification by double-hashing before comparing values. The information we leak after this patch is useless unless the hash function is completely broken. Closes #36 --- lib/verify.js | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/lib/verify.js b/lib/verify.js index f6ad0c2..8c34aee 100644 --- a/lib/verify.js +++ b/lib/verify.js @@ -48,9 +48,23 @@ module.exports = { if (!alg || alg.length !== 2) throw new TypeError('parsedSignature: unsupported algorithm ' + parsedSignature.algorithm); + var hashAlg = alg[1].toUpperCase(); - var hmac = crypto.createHmac(alg[1].toUpperCase(), secret); + var hmac = crypto.createHmac(hashAlg, secret); hmac.update(parsedSignature.signingString); - return (hmac.digest('base64') === parsedSignature.params.signature); + + /* + * Now double-hash to avoid leaking timing information - there's + * no easy constant-time compare in JS, so we use this approach + * instead. See for more info: + * https://www.isecpartners.com/blog/2011/february/double-hmac- + * verification.aspx + */ + var h1 = crypto.createHmac(hashAlg, secret); + h1.update(hmac.digest()); + var h2 = crypto.createHmac(hashAlg, secret); + h2.update(new Buffer(parsedSignature.params.signature, 'base64')); + + return (h1.digest().equals(h2.digest())); } };